Closed ringerc closed 3 years ago
I did some quick and dirty instrumentation of auth.go
and produced the following trace of comms where ->
is client-to-server and <-
is server-to-client:
-> AUTH
<- REJECTED EXTERNAL
-> AUTH EXTERNAL 6372616967
(hex for "craig")<- REJECTED EXTERNAL
tryAuth
bails out, as it wasn't expecting REJECTED
while in waitingForOk
statetrace:
$ go build && ./listnames
2021/08/17 11:49:55 auth: begin, methods: []
2021/08/17 11:49:55 auth: using default methods EXTERNAL and COOKIESHA1
2021/08/17 11:49:55 connecting to transport
2021/08/17 11:49:55 send empty byte
2021/08/17 11:49:55 AUTH
2021/08/17 11:49:55 authWriteLine():
2021/08/17 11:49:55 AUTH
2021/08/17 11:49:55 getting response
2021/08/17 11:49:55 authReadLine():
2021/08/17 11:49:55 REJECTED
2021/08/17 11:49:55 EXTERNAL
2021/08/17 11:49:55 response: [[82 69 74 69 67 84 69 68] [69 88 84 69 82 78 65 76]]
2021/08/17 11:49:55 REJECTED
2021/08/17 11:49:55 EXTERNAL
2021/08/17 11:49:55 trying EXTERNAL
2021/08/17 11:49:55 trying method dbus.authExternal({craig})
2021/08/17 11:49:55 Initial status AuthOk, sending FirstData
2021/08/17 11:49:55 authWriteLine():
2021/08/17 11:49:55 AUTH
2021/08/17 11:49:55 EXTERNAL
2021/08/17 11:49:55 6372616967
2021/08/17 11:49:55 dbus.authExternal({craig}) tryAuth(state=waitingForOk) reading line
2021/08/17 11:49:55 authReadLine():
2021/08/17 11:49:55 REJECTED
2021/08/17 11:49:55 EXTERNAL
2021/08/17 11:49:55 dbus.authExternal({craig}) tryAuth(state=waitingForOk) state=waitingForOk gotmsg=REJECTED
2021/08/17 11:49:55 dbus.authExternal({craig}) tryAuth(state=waitingForOk) got REJECTED (waitingOK)
2021/08/17 11:49:55 dbus.authExternal({craig}) ok: false
It seems the server doesn't like AUTH EXTERNAL 6372616967
though it advertises EXTERNAL
, so it sends REJECTED
and lists EXTERNAL
as the supported mechanism.
The protocol documents AUTH as AUTH [mechanism] [initial-response]
and says
If the [initial-response] argument is provided, it is intended for use with mechanisms that have no initial challenge (or an empty initial challenge), as if it were the argument to an initial DATA command. If the selected mechanism has an initial challenge and [initial-response] was provided, the server should reject authentication by sending REJECTED.
(bold mine)
so it looks like the server wants to send an initial challenge.
If I change the FirstResponse result to send simply AUTH EXTERNAL
then the server replies with a DATA
payload, so that seems to be the issue.
Seems like the SASL mech expects to exchange a pair of empty-payload DATA
messages. This requires some reworking of the mechanism API to use variable length argument and response arrays, but works.
I've prepped a patch to handle the working handshake.
What I'm not so sure about is under which circumstances the original
AUTH EXTERNAL [hex-encoded-username]
handshake works and is required. Thus I can't be sure I'm not breaking something that's required to work correctly on some other platform, version or SASL based D-Bus configuration.
It might make sense to try the empty handshake, and if it gets REJECTED
retry the EXTERNAL
handshake with the initial-data field. Thoughts?
It looks like https://github.com/keybase/go.dbus might've picked up as a continuation of this repo, so will file there instead.
On Fedora 33, building and running any of the examples e.g.
list-names.go
will fail withThere's a usable session bus address
and command-line d-bus operations work
so the bus is usable.
SELinux is in permissive mode (unfortunately, due to unrelated issues) so it's not SELinux related.
I don't see any relevant output in
dbus-monitor --session
when I attempt to auth while it's running.It's unclear why this is happening. I'll look into it, but wanted to file this now so others with a similar issue can find it.